(02-22-2021, 01:13 PM)ZerBea Wrote: For sure a mask on a PMK will work, in case you hav 90% of the PMK.
Example:
$ wlangenpmk -e hashcat_net -p hashcat1
essid (networkname)....: hashcat_net
password...............: hashcat1
plainmasterkey (SHA1)..: 9cff1131859ffd9255a3bd412db53d3a576c41910cff9bf8165176b3fd6fdbf0
If you run hashcat with this mask
9cff1131859ffd9255a3bd412db53d3a576c41910cff9bf8165176b3fd6fdb?h?h
it will verify the PMK.
Please note my wording: I didn't write it cracked the network or it recovered the PSK.
Now take a look at the result of PMKDF2 if you change a character within the ESSID
$ wlangenpmk -e hashcat-net -p hashcat1
essid (networkname)....: hashcat-net
password...............: hashcat1
plainmasterkey (SHA1)..: da4976c8e0e045d3f3e48e3213953cde92f6ac2e0b75b5dde88d4177e924251a
No chance to run this simple mask to verify the PMK.
Now we change a character of the PSK:
$ wlangenpmk -e hashcat_net -p hashcat2
essid (networkname)....: hashcat_net
password...............: hashcat2
plainmasterkey (SHA1)..: 332f14d711b5be5b5b8dcce42c36a0b452502cab0d7db1b5a4ef7ac9d7ec90b3
our simple mask will fail, too.
In every case you must do "slow" PBKDF2:
ESSID + PSK -> PMK
ESSID + PMK -> PSK
And if you discover a new PMK, ESSID + PMK -> PSK is mandatory.
hash mode comparison table:
2500 -> 22000
2501 -> 22001
16800 -> 22000
16801 -> 22001
2500 & 16800 -> 22000 reuse of PBKDF2
2501 & 16801 -> 22001
Mostly I don't use masks, rules or big wordlists found in www.
hcxdumptool/hcxtools and hashcat (or JtR) is more than enough for me.
I recommend not to convert hccapx to 22000, because you don't know nothing about the quality of the hccxcap file.
It is much better to recapture and to convert them directly to 22000.
Which tools do you use for capturing and converting?
Hey there,
Ok need to re-read this a few times to fully understand.
Meanwhile my current workflow is as follows (forgive the noobishness I know I should be doing it manually and will when I attempt the method you show above).
Ran wifite, let it capture the handshake automatically.
Ran /usr/share/hashcat-utils/cap2hccapx.bin INPUTFILE.cap OUTPUTFILE.hccapx
Meanwhile, the workhorse building the BIG-WPA-1 wordlist to PMK, (40hrs)
sudo wlangenpmkocl -e "Name Of The AP(spaces on purpose)" -i BIG-WPA-LIST-1 -A OUTPUT.pmk
Then moved to the cracking RIG:
hashcat -a 6 -m 2501 -w 4 "ANALYZE ME\TARGET.hccapx" dict\BIG-WPA-LIST-1.pmk masks\rockyou-1-60.hcmask
gazillion quadrillion keys every few seconds being sequenced but STILL not finding my password grrr. Now we need to focus on rule creation and custom wordlist I think le sigh.
Or start from scratch using your method and try again then branch off
EDIT: Just answered my earlier question about the order of candidates in collision attacks: Just discovered Markov Chains. Something special here.. Can I use Markov Chains in a hybrid attack ? (a 6). I'm wondering what fascinating things this would do to a wordlist